Investment Firm Loses $495K in Spear-Phishing Attack

An investment firm recently lost $495,000 as a result of a successful spear-phishing attack against one of its employees.

According to The Detroit News, an employee at Pomeroy Investment Corporation recently received a spear-phishing email in which an attacker posed as a fellow company employee and asked the recipient to transfer $495,000 to a bank based in Hong Kong.

The employee fulfilled the money transfer. Eight days later, however, the Troy-based investment firm determined that the email had been a spear-phishing attack.

“Previously, it was typical for company employees to communicate by email and to make transfers of funds–even overseas,” said Troy Police Sgt. Meghan Lehman. “But in this case, someone hacked the account of the sender requesting the funds. And then [it] was days later before anyone questioned the transaction and learned they had been hacked.”

In a spear-phishing (or whaling) campaign, attackers use personalized emails to lull a victim into a sense of familiarity with the sender so that they will be more inclined to click on a suspicious link, download a malicious email attachment, or send over sensitive company information, including W-2 information.

This particular attack leveraged spear-phishing as part of a business email compromise (BEC) scam by which attackers obtain access to an internal staff member’s email and abuse that access to authorize fraudulent wire transfers to banks of their choice.

“To be honest we’re seeing both types of whaling on the rise. There is evidence to suggest the cyber criminals are using malware resident on the machine, such as Dridex, to give them enough intelligence on a target to help them decide what type of attack to carry out,” Scott-Cowley toldSCMagazine in an email. “So an HR user might be targeted with a W-2 style attack, whereas as a finance user would be stung with financial fraud. Then again domestic or low-value targets might just be sent a crypto malware instead, so as to extort a few hundred Bitcoin from them.”

Since suffering the spear-phishing attack, Pomeroy has alerted its insurer to the theft.

The company has also revised its internal policies so that money transfers of a similar size will need to be processed by a method other than email in the future.

News of this attack follows just weeks after an unidentified American corporation lost $100 million in a successful spear-phishing attack.